This website uses cookies to give you the best user experience, for analytics, and improvement of functionalities of this website and third party sites. You can learn more about our use of cookies and similar technologies and your choices by reviewing our Cookies Policy. By clicking "I agree" you agree to our use of cookies and similar technologies.

The item you have requested is not currently available in English and you have been redirected to the next available page. You may use your browser's back button to return to the item you were viewing.

With 125+ locations in 50+ countries, Dentons is home to top-tier talent that is found at the intersection of geography, industry knowledge and substantive legal experience. Working with Dentons, you will have the opportunity to learn from the best lawyers in the industry at the largest law firm in the world.

Sharing personal data - simple but costly errors

Sharing personal data - simple but costly errors

Regional Capabilities:

August 25, 2016

A simple typing error can end up costing thousands of pounds in fines by the Information Commissioner's Office (“ICO") if it breaches the provisions of the Data Protection Act 1998 ("DPA”). In this update, we consider how to protect your business from falling foul of its obligations under the DPA.

Protecting personal data

Personal data is data that is capable of identifying a living individual. This may include email addresses, direct dial phone numbers or job titles provided that the information at hand (or together with other information that the data controller has) could personally identify a living individual. For example, the email address, john.smith@companyltd.co.uk is personal information on the basis that from the data, it is possible to identify a particular John Smith who works at Company Ltd. However, the name John Smith, on its own, is not personal data as it is unlikely to identify a particular John Smith.

A data controller (i.e. the person who determines how and for what purpose personal data is to be used) is required to comply with the provisions of the DPA. This includes ensuring that all personal data held is processed (i.e. obtained, recorded, stored and disclosed etc) in accordance with the Data Protection Principles (“Principles”). Two of the Principles specify that personal data should: (i) be kept secure; and (ii) not be used without the consent of the person to whom the data relates (“Data Subject”) or shared with third parties against their wishes.

Lessons to be learned

In May, a London NHS Trust was fined for breaching its obligations under the DPA by inadvertently sharing the email addresses of hundreds of HIV service users. This breach occurred after a Soho sexual health clinic entered the email addresses of 781 recipients into the "To” field of the email instead of the “Bcc” field. The recipients of the newsletter could see the email addresses of all other addressees, of which 730 contained recipients’ full names.

In 2012, the Metropolitan Police failed to “Bcc” all recipients of a victims of crime survey resulting in the sharing of victims’ of crime personal data with other recipients.

Further, in April of last year, a Welsh police authority accidentally sent an internal email containing the names, addresses and telephone numbers of eight registered sex offenders to an external email address. The unauthorised disclosure of the offenders' personal data was the result of an officer unintentionally pressing the return key while viewing the police authority's global email address book.

Consequences of breaches

When a breach of the DPA is alleged, there are a number of sanctions which the ICO has at its disposal, including: (i) the service of “stop now” notices (which require data controllers to stop any activities that breach the DPA); (ii) fines of up to £500,000; or (iii) criminal prosecution against the data controller allegedly in breach.

When assessing the alleged breach, the ICO must consider whether substantial damage or distress has been caused to the Data Subject. In most cases, substantial damage is financial loss or physical harm and substantial distress is a level of upset, emotional or mental pain that goes beyond annoyance or irritation.

In the Soho sexual health clinic case, the ICO decided in light of the sensitivity of the emails and the likelihood of substantial distress, it was appropriate to fine the NHS Trust £180,000.

As yet no decision has been taken by the ICO regarding the Metropolitan Police.

In the Welsh police authority case, the ICO fined the police authority £150,000.

Getting it right

In light of the monetary penalties that can be imposed by the ICO, it is important for data controllers to have a data security policy that is appropriate to the nature of the data processed by it. If the data is particularly sensitive (e.g. health records, residential addresses or bank account details) more stringent security measures will be required, such as limiting the number of people who have access to the data or preventing the data from copied or reproduced by employees.

In addition, it is important for data controllers to consider and foresee any DPA breaches that may arise and put in place preventative measures against such breaches (e.g. training employees who are responsible for data processing). The examples above demonstrate that careless typing errors can have serious consequences, and so it is important that all employees involved in the processing of data are aware of their obligations under the DPA.

Disclaimer

Unsolicited emails and other information sent to Dentons will not be considered confidential, may be disclosed to others, may not receive a response, and do not create a lawyer-client relationship. If you are not already a client of Dentons, please do not send us any confidential information.

Copy link to Tweet

Embed this Tweet

Important Notice

Please read the following terms and conditions carefully. Access to the information contained herein is on the basis that you understand and agree to these terms and conditions.

The following pages of the website are not addressed to, or intended for use by:
(1) persons located in the United States,
(2) citizens of the United States
(3) permanent residents ('green card holders') of the United States,
(4) entities organized in the United States or their overseas affiliates.

No person or entity falling into any of the above categories has contributed to the creation or provision of any of the information provided in these pages.

Under Sanctions imposed by the US Office of Foreign Assets Control, persons and entities falling into these categories are prohibited from engaging, or facilitating the engagement by others, in any commercial relationship with Iran. If you believe you may fall into any of these categories, do not access these web pages.

Under sanctions imposed by the Government of Canada, Canadian citizens and persons located in Canada should be aware that they are prohibited from engaging in or facilitating the engagement of others in, certain commercial activities involving Iran or certain persons (individuals and entities) in Iran. In addition, the sanctions law of other countries, including the United States, may apply to certain commercial activities by Canadians. Any Canadian or person in Canada who accesses these webpages should seek legal advice on the applicability of Canadian and foreign sanctions before engaging in or facilitating in any commercial activities involving Iran or persons in Iran.

Dentons accepts no liability in respect of any breach of applicable Sanctions arising as a consequence of acting against this advice. The following pages of this website are informational materials only and are not intended to be used, nor may they be used, to engage in, or facilitate the engagement by others in, transactions that are prohibited under the laws of the United States or Canada. For guidance on the applicability of relevant Sanctions, please contact legal counsel. If you would like to engage attorneys at Dentons familiar with these issues please contact : Michael Zolandz, US, Paul Lalonde, Canada

Confirmation of understanding and acceptance of disclaimer

To visit the following pages of the website, you must confirm that you have understood the above sentences and agree to comply with the restrictions and that your use of the following pages is expressly conditioned thereon. By clicking "AGREE" in the box below, you will be deemed to have made this confirmation.

I have read and understood the disclaimer set out above. I understand that it may affect my rights and I agree to be bound by its terms.